-
Notifications
You must be signed in to change notification settings - Fork 300
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
checksec-2.7.1 FORTIFY detection for processes #241
Comments
The new code is working:
Also in tests/hardening-checks.sh the code for Fortify "Partial" case works:
I can't find yet a solution to test the Fortify "N/A" case as well, although in the above result when testing the system for processes there are many N/A cases. |
I found a solution to test the Fortify "N/A" case, the second half, i.e. Proc_FS_cnt_total=0 by adding a sleep() in the helloworld.c source file:
and now |
I found a solution to generate the nolibc/nolibc_cl test files usable for "Fortify" testing in the case of libc_found=false both for files and processes (tests/hardening-checks.sh).
There are 2 options for compilation:
@slimm609 here I need your decision, I would opt for the first option with NASM installation but it will become a requirement (among many others) for running the tests. It remains to write an .asm file for x86 assembly (different syntax compared to x86-64 presented previously) to complete the Fortify test files for the nolibc case. |
And the solution for nolibc32/nolibc_cl32 test files: nolibc32.asm
Compilation commands:
|
These are all for tests so adding dependencies to the test images is completely fine. These are rather difficult to test int he different scenarios so the more tests we can add, the more reliable the tests will be. There is also a full rewrite/port to golang in progress so these tests will be vital in validating the 2 versions side by side. |
Why not simply compile a regular helloworld.c with the -static flag? That one will also pass the N/A test because the external libc dependency will be gone. |
Hi,
Example in our case (existing fszero and nolibc) and fszero-static compiled with the command: |
As detailed in #236, couldn't the "N/A" and "Partial" cases also apply to running processes?
Example applied to checksec-2.7.1:
./checksec --proc=update-notifier
readlink /proc/3066/exe
./checksec --fortify-file=/usr/bin/update-notifier
./checksec --file=/usr/bin/update-notifier
There is a discrepancy for Fortify in the results in case of options:
also validated with the result of the --fortify-file=/usr/bin/update-notifier option.
In src/functions/proccheck.sh, replace the code from the section
with the code from filecheck.sh
with only 2 changes, that is:
line 3 (adapted to find the path to executables)
readlink ${1}/exe
and line 8 (adapted for processes)
${1}/exe
The new result is:
./checksec --proc=update-notifier
The text was updated successfully, but these errors were encountered: